KVKK Privacy Notice vs Explicit Consent in Turkey: Key Rules

Businesses operating in Turkey frequently misread their obligations under the KVKK (Kişisel Verilerin Korunması Kanunu — Turkey's Personal Data Protection Law, Law No. 6698). The most common error is treating a privacy notice and an explicit consent form as interchangeable — or worse, merging them into a single document. Turkish law draws a sharp line between these two instruments, and crossing it exposes companies to administrative fines and enforcement proceedings before the Personal Data Protection Board.

Understanding the Two Obligations

Before looking at what the rules require, it helps to understand why the law treats notification and consent as fundamentally different concepts.

A privacy notice (aydınlatma) is an obligation that exists regardless of how you process data. Under KVKK Article 10, any data controller collecting personal data must inform the data subject — at the moment of collection — about who is collecting the data, what it will be used for, to whom it may be passed, how it is being collected, and which legal basis justifies the processing. This obligation is unconditional. It applies whether you are processing data to perform a contract, to comply with a legal obligation, or for any other reason listed in the law.

Explicit consent (açık rıza) is something quite different. It is one of six lawful bases for processing personal data under KVKK Article 5. The others include processing required by law, processing necessary to perform a contract, and processing based on the controller's legitimate interests. If any of those other bases applies, you do not need consent at all. But when you do rely on consent, it must be freely given, specific, and informed.

The Separation Rule

The Communiqué on the Principles and Procedures for Fulfilling the Notification Obligation (Official Gazette, 10 March 2018) states explicitly in Article 5(f): where processing is based on explicit consent, the notification obligation and the consent-taking process must be performed separately. One document covering both is not permitted.

In practice, this means:

• The privacy notice should stand as its own document — something a person can read and understand before being asked for anything.
• The consent request must come after the notice, presented through a clearly distinct mechanism or form.
• Consent must be obtained for each specific processing purpose; a blanket "I agree to everything" checkbox does not qualify.
• Conditioning access to a service on giving consent — where no other lawful basis exists — is problematic, because consent obtained under that kind of pressure is not genuinely free.

The same communiqué places the burden of proof for having issued the notice squarely on the data controller (Article 5(e)). Without records showing that notification was provided, defending against a complaint becomes very difficult.

What a Valid Privacy Notice Must Include

KVKK Article 10 defines the minimum content. A compliant notice must state clearly:

• The identity of the data controller and any representative
• The purposes for which the data will be processed
• The categories of recipients to whom data may be transferred, and the purposes for that transfer
• The method of data collection and the legal basis relied on
• The data subject's rights under KVKK Article 11

The communiqué adds a plain-language requirement. Vague or catch-all descriptions of processing purposes — phrases like "for business activities" without further detail — do not satisfy the law. Purposes must be specific, clear, and legitimate.

Common Violations That Draw KVKK Scrutiny

In Antalya and across Turkey, businesses in retail, hospitality, e-commerce, and professional services run into the same set of problems:

• Single-document bundling: a form that says "by reading and accepting this privacy notice, you consent to data processing" in one action
• Pre-ticked boxes: consent must be an active and deliberate choice; boxes ticked by default do not satisfy the freely-given standard
• Blanket purpose language: broad phrases that could cover any data processing the company might ever want to carry out
• All-or-nothing consent: making it impossible to use a service without agreeing to all types of processing, including optional ones
• No record of notification: if you cannot demonstrate that notification was provided, you cannot defend against a complaint

For companies operating in Antalya with international clients — whether running a property management business, a hotel, or a professional services firm — these requirements apply to every interaction where personal data is collected.

Enforcement and Fines

Under KVKK Article 18, failing to fulfil the notification obligation under Article 10 carries an administrative fine of between 5,000 and 100,000 Turkish liras. Ignoring a Board decision can cost between 25,000 and 1,000,000 TL, and failing to register with the VERBİS data controller registry between 20,000 and 1,000,000 TL. The enforcement framework was updated by Law No. 7499, which entered into force on 2 March 2024, and fines can now also be challenged before the administrative courts.

Foreign companies are not exempt. If a business processes personal data of people in Turkey — through a local branch, a Turkish-facing website, or a mobile app — KVKK applies to it, regardless of where the company is incorporated. See our guide to KVKK compliance in Turkey for broader context, and our e-commerce and cookie compliance guide if your exposure comes from an online platform.

Frequently Asked Questions

Q: We have a privacy policy on our website. Is that enough?

Not necessarily. An online privacy policy contributes to the notification requirement, but timing and method matter. KVKK Article 10 requires notification at the point of data collection — not just somewhere on the website. If data is collected through a sign-up form, the notice should accompany that form, not be buried in a link elsewhere.

Q: Can we use one consent checkbox for multiple processing purposes?

No. Each processing purpose that relies on explicit consent requires a separate, specifically described consent. A general "I agree to the processing of my data" tick-box covering everything is not valid under KVKK.

Q: We process data based on a contract, not consent. Do we still need a privacy notice?

Yes. The notification obligation under Article 10 applies to all personal data processing, whatever the legal basis. When you rely on contract performance, you do not need consent — but you must still issue a compliant notice that identifies contract performance as your legal basis.

Q: What should a foreign company do if it receives a KVKK fine in Turkey?

Seek legal advice immediately. Under the 2024 amendment, KVKK Board fines can be challenged in the administrative courts, but strict procedural deadlines apply. For companies with international data flows, our article on cross-border data transfers under KVKK is also relevant.

How Mona Hukuk Can Help

Our team advises companies operating in Antalya and across Turkey on structuring data processing practices that comply with KVKK — reviewing existing privacy notices, drafting separate consent mechanisms, and representing clients in Board enforcement proceedings. Whether you are a foreign investor, a local business, or an international platform with Turkish users, getting the separation of notice and consent right is a foundational step.

Contact us at info@monahukuk.com or call +90 (242) 606 14 32 to schedule a consultation in Antalya.